This updates includes a rebase from tomcat 8.0.36 up to 8.0.38 which resolves multiple CVEs and a problem that 8.0.37 introduces to freeipa :

  - rhbz#1375581 - CVE-2016-5388 Tomcat: CGI sets     environmental variable based on user supplied Proxy     request header

  - rhbz#1390532 - CVE-2016-0762 CVE-2016-5018 CVE-2016-6794     CVE-2016-6796 CVE-2016-6797 tomcat: various flaws

and includes two additional CVE fixes along with one bug fix :

  - rhbz#1383210 - CVE-2016-5425 tomcat: Local privilege     escalation via systemd-tmpfiles service

  - rhbz#1383216 - CVE-2016-6325 tomcat: tomcat writable     config files allow privilege escalation

  - rhbz#1370262 - catalina.out is no longer in use in the     main package, but still gets rotated

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2016-704:01 advisory.

    Tomcat is the servlet container that is used in the official Reference     Implementation for the Java Servlet and JavaServer Pages technologies.
    The Java Servlet and JavaServer Pages specifications are developed by     Sun under the Java Community Process.
    Tomcat is developed in an open and participatory environment and     released under the Apache Software License version 2.0. Tomcat is intended     to be a collaboration of the best-of-breed developers from around the world.
    Security issues fixed with this release:
    CVE-2014-7810     The Expression Language (EL) implementation in Apache Tomcat 6.x     before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not     properly consider the possibility of an accessible interface     implemented by an inaccessible class, which allows attackers to bypass     a SecurityManager protection mechanism via a web application that     leverages use of incorrect privileges during EL evaluation.
    CVE-2015-5346     Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x     before 8.0.30, and 9.x before 9.0.0.M2, when different session     settings are used for deployments of multiple versions of the same web     application, might allow remote attackers to hijack web sessions by     leveraging use of a requestedSessionSSL field for an unintended     request, related to CoyoteAdapter.java and Request.java.
    CVE-2016-5388     Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows     RFC 3875 section 4.1.18 and therefore does not protect applications     from the presence of untrusted client data in the HTTP_PROXY     environment variable, which might allow remote attackers to redirect     an application's outbound HTTP traffic to an arbitrary proxy server     via a crafted Proxy header in an HTTP request, aka an httpoxy issue.
    NOTE: the vendor states A mitigation is planned for future releases     of Tomcat, tracked as CVE-2016-5388; in other words, this is not a     CVE ID for a vulnerability.
    CVE-2016-5425
    ** RESERVED **     This candidate has been reserved by an organization or individual that     will use it when announcing a new security problem.  When the     candidate has been publicized, the details for this candidate will be     provided.
    CVE-2016-6325
    ** RESERVED **     This candidate has been reserved by an organization or individual that     will use it when announcing a new security problem.  When the     candidate has been publicized, the details for this candidate will be     provided.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The Expression Language (EL) implementation in Apache     Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x     before 8.0.16 does not properly consider the     possibility of an accessible interface implemented by     an inaccessible class, which allows attackers to bypass     a SecurityManager protection mechanism via a web     application that leverages use of incorrect privileges     during EL evaluation.(CVE-2014-7810)

  - Session fixation vulnerability in Apache Tomcat 7.x     before 7.0.66, 8.x before 8.0.30, and 9.x before     9.0.0.M2, when different session settings are used for     deployments of multiple versions of the same web     application, might allow remote attackers to hijack web     sessions by leveraging use of a requestedSessionSSL     field for an unintended request, related to     CoyoteAdapter.java and Request.java.(CVE-2015-5346)

  - Apache Tomcat through 8.5.4, when the CGI Servlet is     enabled, follows RFC 3875 section 4.1.18 and therefore     does not protect applications from the presence of     untrusted client data in the HTTP_PROXY environment     variable, which might allow remote attackers to     redirect an application's outbound HTTP traffic to an     arbitrary proxy server via a crafted Proxy header in an     HTTP request, aka an 'httpoxy' issue. NOTE: the vendor     states 'A mitigation is planned for future releases of     Tomcat, tracked as CVE-2016-5388' in other words, this     is not a CVE ID for a vulnerability.(CVE-2016-5388)

  - It was discovered that the Tomcat packages installed     configuration file /usr/lib/tmpfiles.d/tomcat.conf     writeable to the tomcat group. A member of the group or     a malicious web application deployed on Tomcat could     use this flaw to escalate their     privileges.(CVE-2016-5425)

  - It was discovered that the Tomcat packages installed     certain configuration files read by the Tomcat     initialization script as writeable to the tomcat group.
    A member of the group or a malicious web application     deployed on Tomcat could use this flaw to escalate     their privileges.(CVE-2016-6325)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-2046 advisory.

    - Resolves: CVE-2015-5346

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:2046 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    Security Fix(es):

    * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf     writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat     could use this flaw to escalate their privileges. (CVE-2016-5425)

    * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat     initialization script as writeable to the tomcat group. A member of the group or a malicious web     application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)

    * It was found that the expression language resolver evaluated expressions within a privileged code     section. A malicious web application could use this flaw to bypass security manager protections.
    (CVE-2014-7810)

    * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the     HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client     implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use     this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a     malicious HTTP request. (CVE-2016-5388)

    * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least     one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could     reuse a previously used session ID for further requests. (CVE-2015-5346)

    Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott     Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product     Security.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es) :

* It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)

* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)

* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)

* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)

* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)

Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.

Security Fix(es) :

  - It was discovered that the Tomcat packages installed     configuration file /usr/lib/tmpfiles.d/tomcat.conf     writeable to the tomcat group. A member of the group or     a malicious web application deployed on Tomcat could use     this flaw to escalate their privileges. (CVE-2016-5425)

  - It was discovered that the Tomcat packages installed     certain configuration files read by the Tomcat     initialization script as writeable to the tomcat group.
    A member of the group or a malicious web application     deployed on Tomcat could use this flaw to escalate their     privileges. (CVE-2016-6325)

  - It was found that the expression language resolver     evaluated expressions within a privileged code section.
    A malicious web application could use this flaw to     bypass security manager protections. (CVE-2014-7810)

  - It was discovered that tomcat used the value of the     Proxy header from HTTP requests to initialize the     HTTP_PROXY environment variable for CGI scripts, which     in turn was incorrectly used by certain HTTP client     implementations to configure the proxy for outgoing HTTP     requests. A remote attacker could possibly use this flaw     to redirect HTTP requests performed by a CGI script to     an attacker-controlled proxy via a malicious HTTP     request. (CVE-2016-5388)

  - A session fixation flaw was found in the way Tomcat     recycled the requestedSessionSSL field. If at least one     web application was configured to use the SSL session ID     as the HTTP session ID, an attacker could reuse a     previously used session ID for further requests.
    (CVE-2015-5346)

The version of Apache ActiveMQ running on the remote host is 5.x prior to 5.15.5. It is, therefore, affected by multiple vulnerabilities.

ID	Name	Product	Family	Published	Updated	Severity
94747	Fedora 23 : 1:tomcat (2016-4094bd4ad6) (httpoxy)	Nessus	Fedora Local Security Checks	11/14/2016	1/19/2026	critical
94748	Fedora 24 : 1:tomcat (2016-c1b01b9278) (httpoxy)	Nessus	Fedora Local Security Checks	11/14/2016	1/19/2026	critical
289327	MiracleLinux 7 : tomcat-7.0.54-8.el7 (AXSA:2016-704:01)	Nessus	Miracle Linux Local Security Checks	1/16/2026	2/10/2026	high
94997	Fedora 25 : 1:tomcat (2016-38e5b05260) (httpoxy)	Nessus	Fedora Local Security Checks	11/21/2016	1/16/2026	critical
99812	EulerOS 2.0 SP1 : tomcat (EulerOS-SA-2016-1049)	Nessus	Huawei Local Security Checks	5/1/2017	12/22/2025	high
93948	Oracle Linux 7 : tomcat (ELSA-2016-2046)	Nessus	Oracle Linux Local Security Checks	10/11/2016	1/22/2026	high
93951	RHEL 7 : tomcat (RHSA-2016:2046)	Nessus	Red Hat Local Security Checks	10/11/2016	1/22/2026	high
93966	CentOS 7 : tomcat (CESA-2016:2046) (httpoxy)	Nessus	CentOS Local Security Checks	10/12/2016	1/22/2026	high
94005	Scientific Linux Security Update : tomcat on SL7.x (noarch) (20161010) (httpoxy)	Nessus	Scientific Linux Local Security Checks	10/12/2016	1/22/2026	high
112192	Apache ActiveMQ 5.x < 5.15.5 Multiple Vulnerabilities	Nessus	CGI abuses	8/30/2018	6/6/2024	critical

Detections

Analytics

Plugins Search

critical

critical

high

critical

high

high

high

high

high

critical